Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Check infection, laptop shut off during removal no longer booting


  • This topic is locked This topic is locked
44 replies to this topic

#1 8eight

8eight

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 23 March 2012 - 01:14 PM

I am posting in this forum because of issues during the removal of the "System Check" virus. I have a Dell Studio 15 with Windows XP, but currently the XP OS will no longer load when I start my laptop. So I'm not sure how to proceed with the removal guide or creating a new post in the Log Report forum.

I started noticing symptoms of the "System Check" intrusion with files/folders starting to become hidden. As I was scanning with MBAM the false reports for "System Errors" & "Scans" began popping up. MBAM locked up and didn't get to finish it's scan. I had to just force shutdown the laptop. I did some research last night and found the removal guide on this site and a few others. I booted in Safe-mode with networking and began going through the removal process. I downloaded and renamed all the programs listed in the guide and saved them with alternate names on the desktop. I was able to run both RKill & TDSSKiller with no issues. However as I was running MBAM my laptop shutdown on it's own.

Since then when I try to turn on my laptop the Dell Studio load screen will start as normal. Then there will be a blinking cursor on the top left of screen where it usually will begin listing actions right before the XP load screen. However after blinking a few times the screen just stays black and does not proceed further. At that point my only option is to force shut down and reboot. I am able to access "F2 Setup" & "F12 Boot Options" but am unable to access "F8 Safe Mode." I tried running a memory diagnostic through "F12" options and so far I haven't received any error reports.

I'm hoping someone can clarify if these are related or 2 separate issues. Also how I should proceed to hopefully remedy the issues.

- Cautiously optimistic,
8Eight

BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:27 PM

Posted 24 March 2012 - 08:15 AM

Hi 8eight,

I have reported this to our internal list for unbootable computers caused by malware. Someone will assist you soon

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 26 March 2012 - 02:25 AM

Hello and sorry for the delay!

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 27 March 2012 - 09:57 PM

Hey Elise,

I used xPUD to create a log like you asked, but I can't upload it to my post. I believe attachments are disabled for this forum. Can you or a another mod move this thread to the appropriate forum?

Thanks,
8eight

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 28 March 2012 - 12:51 AM

My apologies, I intended to move this topic but apparently forgot. Please try it now. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 28 March 2012 - 07:05 AM

No worries, let me know what you think.

Attached Files

  • Attached File  mbr.zip   587bytes   3 downloads


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 28 March 2012 - 07:32 AM

Hi again,

Right click the following download link and select "save link/target as": xPUD_MBRfix
Save the file to your USB drive.
  • Boot the ailing computer to xPUD
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Double click on xPUD_MBRfix to execute the script
  • When asked "what boot code do you want to write?" type m for XP boot code and press enter.
  • When asked "to which one do you want to write a new mbr?" type sda and press enter.
  • Type y and press enter to confirm your choices.
  • Press enter to close the window.
  • Upon finishing, its actions will produce a report (mlog.txt)
  • Post that report in your next reply

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 28 March 2012 - 11:25 PM

Here you go

Attached Files

  • Attached File  mlog.txt   418bytes   2 downloads


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 29 March 2012 - 12:33 AM

Can you reboot normally now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 29 March 2012 - 05:51 PM

Hey,

I tried booting. It advanced past the Dell Load screen and the blinking cursor. But after that it just says "Invalid partition table_" Usually on boot when it gets to this point it gives me a b/w screen (similar to safe mode options)to choose between booting Windows XP Professional (default) or Windows XP Recovery Console. Dunno if that helps, let me know how you want me to proceed.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 30 March 2012 - 12:42 AM

In xPUD please navigate to your usb drive and click Tool > Open Terminal.

Type the following and press enter.

fdisk -ul > fdisk.txt

This will create a text file named fdisk.txt on your usb drive. Please copy/paste its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 30 March 2012 - 04:26 PM

Hey,

It's saying

fdisk: can't open '/ul'

PS: Oh and sorry for the slow responses. I think maybe theres a timezone difference since your usually posting after 1am for me. I should be able to respond quicker since it's the weekend and I'll be up later so we hopefully get this thing hammered out.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 31 March 2012 - 01:32 AM

My apologies, the / had to be a -
I fixed the command in my previous post, can you please try it again?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 31 March 2012 - 01:49 AM

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System
/dev/sda1 ? 4000825897 4486009048 242591576 d Unknown
Partition 1 does not end on cylinder boundary
/dev/sda2 ? 2116206590 5363210070 1623501740+ c4 Unknown
Partition 2 does not end on cylinder boundary
/dev/sda3 ? 3277940311 4838085194 780072442 2 Unknown
Partition 3 does not end on cylinder boundary
/dev/sda4 ? 0 0 0 0 Empty
Partition 4 does not end on cylinder boundary

Partition table entries are not in disk order

Disk /dev/sdb: 1059 MB, 1059323904 bytes
2 heads, 63 sectors/track, 16420 cylinders, total 2068992 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System
/dev/sdb1 * 32 2068991 1034480 6 FAT16

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 31 March 2012 - 05:39 AM

Looks like we'll have to rebuild that manually.

Try this please. You will need a USB drive.

Download xPUDtd and save it to an USB drive. (if the download opens in a separate tab, right-click the link and select Save Link/Target As)
  • Remove the USB & xPUD CD and insert it in the sick computer
  • Boot the Sick computer with the xPUD CD
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Doubleclick on xPUDtd to extract and run it.
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [Analyse] and press Enter to continue.

Posted Image

Select Quick Search and press Enter.

If you receive a warning, select continue and press Enter.

At the following screen please see if the correct partition structure is displayed (meaning that Testdisk should show you the right sizes of partitions you know you have on disk). If you are not sure just quit at this point and post me the Testdisk log created on your USB drive.

Press Q repeatedly until TestDisk exits and post the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users